Eliot Lear <l...@cisco.com> wrote: > Actually, according to 802.1AR-2009, the subject MUST contain requires a > DN with serial number, and it may contain a SAN (e.g., don’t count on it). > That’s the major concern. To me, the rest is really negotiable. >
OK, great. I don't think what Rich or what I'm proposing is in conflict with that at all. The idea here is to tell certificate verifiers (relying parties): * If you're looking for a DNS name in a certificate, only look in the subjectAltName, Don't look in the Subject Common Name. * If you're looking for an IP address in a certificate, only look in the subjectAltName, Don't look in the Subject Common Name. That's it. In the case of 802.1AR-2009, the verifier is to look for a distinguished name (either the Subject or a directoryName subjectAltName), not a DNS name or an IP address, so the proposed guidance wouldn't apply. Note that RFC 6125 punted in IP addresses because they weren't commonly used in certificates in the working groups' judgement at the time, but now I think it is clear that an update to RFC 6125 should address IP addresses too. Cheers, Brian
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
